If current version is AM 8.8, no patches

8.8 P3 HF2 addresses the following CVEs

CVE-2013-7285, CVE-2021-21342, CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21350, CVE-2021-21351

But

AM 8.9 P1 will include Oracle Web Logic Jan2026CPU and include Hot Fix 2 for P3 of AM 8.8 by end of March.

So for latest CVE vulnerability protection RIGHT NOW at the begining of March 2026.

1. Update to AM 8.8 P3 – primary first, then replicas one at a time. Check replication status when done with last replica. Make sure Status = good
2. Update to AM 8.8 P3 Hot fix 2 – primary first, then replicas one at a time. Check replication status ...

Optionally skip P3 and HF 2 and

1. Update to AM 8.9 - primary first, then replicas...
2. Plan to Update to 8.9 Patch 1 – primary first, then replicas by the end of March

Do you need to worry about the 8.8 P1 or P3?

Documentation says No, latest patch rolls up earlier patches. But Hot Fixes are just that, a single fix for a specific patch.